Simplifying the Conversation Around Edge Security

By Eron Reece, Senior Architect
12/18/2020

As the world fully realizes a major shift to a decentralized workforce, and advanced technologies bring us a growing number of endpoints in the Internet of Things (IoT), edge security has definitely taken a more prominent place in the overarching security discussion.

For those who may not be as familiar, edge security refers to protecting the data that resides in or travels through devices/endpoints apart from centralized cloud or data center environments. Any device requiring access to your network, from personal computers to smart thermometers to MRI machines, is a potential threat without proper network access control in place. And securing these devices and your networks is no small task. From network architecture to security frameworks, there’s a lot to consider.

But, essentially, a secure edge in a lot of ways comes down to network access control — which is identity-based permissions and IT access. And one of the biggest takeaways in the edge security discussion (or at least, the key takeaway of a discussion Jason Rader, Larry Lunetta from Aruba, and I recently held on LinkedIn Live) is that identity is the key to assigning policies and permissions that will protect your network and data.

There’s a fun but practical illustration I like to use that’s been an eye-opener for many of our clients. I’ll break it down here for you: 

The security speakeasy

Role-Based Access Control (RBAC) is a lot like a 1920’s speakeasy. 

You have a location in mind, you stroll down the alley to get to the door, you knock, and a little window slides open. The bouncer scans your appearance for an initial evaluation: Are you a cop? A gangster? Are you acceptable to be allowed inside?

This first step of the process is roughly equivalent to initial connection and device fingerprinting. You’ve made contact and been assessed for recognizability. With acceptable recognition established, the door is opened.

Next, the bouncer frisks you, looking you over for any dangerous or illicit goods, confirming that you are who you say you are, and ensuring your credibility and intent. This second step is a lot like device or user profiling: there’s an expected and established — and most importantly, confirmed — definition for who you are and why you’re there.

But trusting everyone who makes it past the door is no way to run a speakeasy. Further steps need to be taken to ensure continuing security. So, the bouncers keep an eye on you over the weeks and years. They not only know how you look and sound, but they begin to track and understand how you act. For instance, if you’ve shown up every weekend for gin and tonics, then suddenly arrive on a Wednesday for whiskey sours, that’s going to look a little suspicious. You’ll probably be flagged for questioning. And that’s your behavioral analysis, or traffic analysis — an area in which AI and ML are being leveraged to great success. 

From site-centric to user-centric

This illustration is an easy way to understand the need for holistic security integrations. It’s imperative to carry security past the access point and through the entire environment. In the real world, this is summed up with the relatively newer concept of Secure Access at the Service Edge (SASE), which is a way of thinking of security as a combination of infrastructure components, SD-WAN, and cloud-based controls.

SASE is, practically speaking, the natural evolution of a zero-trust framework to include cloud considerations. When zero-trust principles were gaining traction, the security discussion still primarily revolved around location-centric controls. But as organizations have wholesale adopted all-cloud or hybrid-cloud models, their approach to security has had to adapt. And now, we have the SASE model, which is still founded on the principles of zero-trust, but with the trust broker now based on identity as opposed to connection.

While securing the edge, in practice, really is a fairly complex ball of yarn, I hope that this breakdown helps simplify for you some of the concepts and strategies it takes to build a comprehensive approach to security. 

As a reminder: the majority of breaches don’t happen from the outside — they come from inside the company, from someone who had access. And waiting to do something about your security posture until something unfortunate happens is possibly the worst move you can make. Edge security is a journey that starts with asking the right questions. You can find some starter questions here.